remediating cics user’s experience · racf basic and advanced training at vanguard security...

VANGUARD SECURITY & COMPLIANCE 2016

Sherry Courtney

Duke Energy

BTB2

Remediating CICS User’s Experience

SECURITY & COMPLIANCE CONFERENCE 2016


Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


Legal Notice

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: zSecure Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.


Session Abstract

Has your company recently merged with another company? Have you recently converted to RACF® from ACF2 or Top Secret? Are you new to an organization that hasn't cleaned up the RACF database in years? Are you now being tasked

with remediating RACF/CICS® security. This class is designed to show you where to begin. What to expect. Considerations for determine if you need to build profiles from scratch or remediate existing profiles. How to capture SMF data without blowing up SMF. Do's and Don'ts for remediating.


Instructor's Bio

With more than 40 years of experience in Information Technology and System Security Engineering, Sherry leverages her extensive knowledge base and expertise to assist with CICS security in RACF, DB2® internal security to RACF migrations, z/OS® and RACF assessments, RACF remediation projects, RACF basic and advanced training at Vanguard Security Conferences for 20+ years. Along with working as a Security Engineer, Sherry has performed numerous RACF security audits and reviews as a consultant with major audit firms. Sherry is well known in the RACF Security world and has worked as a consultant within several fortune 500 companies.


Agenda

Purpose

• RACF/CICS brief overview

–IBM® Supplied Classes

• Do you know how CICS is protected in your shop

• Locating System Initialization Parameters in Use

–XTRN

–XCMD

–XPPT

–XSFCT

–etc.


AGENDA, CON’T

• Steps for Remediation

1.System Level Transaction profiles

2.Group Class Transaction profiles

3.Member Class Transaction profiles

• Recommendations


Purpose

• Let’s assume your company has just merged

with another company and you have inherited new CICS RACF to support and you now have to do a CICS security review and have found major issues.

• How to Remediate CICS Security


Brief RACF/CICS Overview

• RACF protection for CICS

–CICS Datasets protected at the ‘region’ level

• Programs and Table Libraries

• CICS System datasets

• Application datasets

–CICS Define Resources protected at the USER level

• CSD (CICS System Definition Dataset)

• CPSM (CICSPLEX System Manager)


How to find what RACF Classes are in use


Example of finding SYSIN from Job Log


Other Resource Class Information


Another example of System Parameters


Example of Finding SYSIN from JCL


RACF TRANSACTION CLASS


Step 1 – Defining Testing Classes


Step 2 – Remediating System Level Transactions


Findings for System Transactions


Remediating System Findings


Remediating System Transaction's Access


Using Grouping Class Profiles


Access Determinations


Step 3 – Remediating Transaction Class Profiles


Step 4 – Other Considerations


Considerations Continued


Consideration Continued


FINAL STEP


Recommendations


Reference Material


Contact Information


Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016

remediating cics user’s experience · racf basic and advanced training at vanguard security...

Documents